一、XSS漏洞发现
https://localhost/deals//'onmouseover%3d'prompt%28960807%29'bad%3d' XSS: 发送该URL请求会返回一个alert()弹框
打印接收到的参数、变量
Array
(
[ctl] => deals
[act] =>
['οnmοuseοver='prompt(960807)'bad='] =>
)
https://localhost/deals
Array
(
[ctl] => deals
[act] =>
)
https://localhost/deals/cid-28
Array
(
[ctl] => deals
[act] =>
[cid] => 28
)
二、XSS解决方案:
1.在apache 中开启重写,将注释去除
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule rewrite_module modules/mod_rewrite.so
2.找到项目目录权限配置AllowOverride None 为All
<Directory "/xampp/htdocs">
...
AllowOverride All
...
https://localhost/deals//'onmouseover%3d'prompt%28960807%29'bad%3d' XSS: 发送该URL请求会返回一个alert()弹框
打印接收到的参数、变量
Array
(
[ctl] => deals
[act] =>
['οnmοuseοver='prompt(960807)'bad='] =>
)
https://localhost/deals
Array
(
[ctl] => deals
[act] =>
)
https://localhost/deals/cid-28
Array
(
[ctl] => deals
[act] =>
[cid] => 28
)
二、XSS解决方案:
1.在apache 中开启重写,将注释去除
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule rewrite_module modules/mod_rewrite.so
2.找到项目目录权限配置AllowOverride None 为All
<Directory "/xampp/htdocs">
...
AllowOverride All
...